Design of Cryptographically Strong Generator By Transforming Linearly Generated Sequences

Transcription

1 Design of Cryptographically Strong Generator By Transforming Linearly Generated Sequences Matthew N. Anyanwu Department of Computer Science The University of Memphis Memphis, TN 38152, U.S.A. Lih-Yuan Deng Department of Computer Science The University of Memphis Memphis, TN 38152, U.S.A. Dipankar Dasgupta Department of Computer Science The University of Memphis Memphis, TN 38152, U.S.A. Abstract Random numbers have been used extensively in many simulation applications like Monte Carlo Integration or computer modeling. But recently security applications have increased the need for strong (secure) random number generation like automatic password generation, encryption algorithms, on-line gambling etc. Thus random number generation has become a challenging and an interesting task. Most classical random number generators, generate sequences that are either linear or predictable hence not suitable for cryptographic and security applications. Others generate sequences that even though they are secure they are not cryptographically strong and above all are slow in execution. Also recent advances in random number generation like the construction of Multiple Recursive Generator(MRG) with large orders, Fast Multiple Recursive Generator (FMRG) and DX(system of multiple recursive generators proposed by Deng and Xu [2003]) generators does not generate a strong random number sequences. Though MRGs have extremely long period of length 1

2 with good empirical performance, its recurrence equation can be solved given a small set of its generated sequence, this implies that MRGs and FMRGs are not strong cryptographic generators. We propose an algorithm that will transform linear sequences generated by both classical LCG, MRGs, FMRGs and DX generators and make them cryptographically strong generators by hiding the entire sequence generated by the generators, thus it will be difficult for cryptanalyst to predict or infer the generator sequence if even the partial sequence or the parameters or knowledge of the algorithm used in the transformation of the generators are known. Keywords: Linear Congruential Generator (LCG), Multiple Recursive Generator (MRG), Random Number generation, Strong (Secure) generators and classical generators 1 Introduction The quality of any simulation application or study depends to a large extent the quality of random number generator. In the same manner the security of any cryptographic application that uses random numbers depends on the strong nature of the random number generators. Classical generators like LCGs generates random sequences that are linear, fast, simple and easy to implement, thus they have wide range of uses in simulation applications. But recently there have been great demand for random generators by security applications like automatic password generation, on-line gambling, digital signatures, encryption algorithms etc. A random generator is cryptographically strong if it is not possible to predict the value of the next random bit and also if it is generally incompressible (See, Bruce [1994]). The efficiency of a good random number generator for cryptographic purposes is determined by the number of mistakes in predicting the next random bit and also if the prediction can be computed in polynomial time (See, Hugo [1998]). Cryptographic generators are also expected to be fast in generating its output sequences, and the sequences it generates should be difficult to predict or infer. There have been recent advances in random number generation to generate sequences that are cryptographically strong but experimental results have shown that these generators are still insecure as their next bits can be predicated. Recent advances in random number generation include MRGs with large order (See, Deng [2005]), FMRGs (See, Deng and Lin [2000]) etc. In Section 2, we review some of the classical generators and state why they are not cryptographically strong generators by enumerating their shortcomings. In Section 3, we review the recent advances in random generation and attempt to make these generators strong cryptographic generators. We also stated how to transform these generators into strong generators. In Section 4, we proposed an algorithm that will transform the sequences generated by classical linear generators like LCGs and recent generators to produce a strong cryptographic generator that will be difficult for a 2

3 cryptanalyst to predict or infer. Our algorithm transform the random bits generated by both linear classical generators and MRGs into a cryptographically strong bits by performing a transformation on the original generated bits and then perform a bitwise exclusive-or operation between the original bits and the transformed bits. The transformation of the bits is used in hiding the generated bit sequence from the attacker. The transformation also breaks the linear structure of the linear sequences making them difficult to predict. The final output are sequences that are difficult to predict and strong for cryptographic purpose. In Section 5, we did a comparison between sequences generated by classical generators and our transformed sequences. 3

4 2 Classical Random Number Generators Pseudo-random number generators (PRNG) are random number generators that produce sequence of values based on an initial seed and current state. They are called deterministic generators in that given the same initial seed they will output the same sequence values. Random numbers have been applied in simulation experiments, randomized algorithms, and Monte Carlos methods in numerical analysis and also in cryptography (See, Neal [1994]). PRNGs used for cryptographic purposes are expected to be fast (computable in polynomial time) and secure (See, Stinson [2006]). But classical generators do not meet these two objectives simultaneously. Most classical generators like RSA and Blum-Blum-Shub (BBS) which are called power generators are cryptographically secure but too slow and cumbersome in performance for cryptographic applications. Other classical generators based on linear congruencies like Linear Congruential Generator (LCG) or linear feedback shift registers (LFSR) are very fast and easy to implement. But these linear generators are not cryptographically secure (the next bit stream value generated can be predicted), thus they are not good for cryptographic applications A PRNG is cryptographically secure if it is computationally infeasible to predict the value of the next random bit, even with knowledge of the algorithm, the hardware that generates the sequence and also the previous bit streams (See, Bruce [1994]). Also secure PRNG are generally incompressible (See, Bruce [1994]), except when given the key (algorithm). In this section we will review some early classical generators like RSA, BBS, BM (Blum Micali), LCG, LFSR and recent advances in pseudo-random number generators (Multiple Recursive Generators (MRG)) 2.1 Linear Congruential Generator: Linear Congruential Generator (LCG) was proposed by Lehmer [1951]. It uses a linear function over modulus arithmetic field. LCG is one of the most widely used PRNG, especially in simulation applications. It is produced iteratively as shown in the equation below; X i = (BX i 1 + c) mod m, i 1, (1) where X i, B, c, and m are positive integers and are called the parameters of LCG (X i are all integers between 0 and m-1). The quality of the generator depends on the selection of the increment c, multiplier B, initial seed X 0, and modulus m. If c =0, the LCG is called mulplicative linear congruential generator (MLCG) as shown in the equation below; X i = (BX i 1 ) mod m, i 1, (2) The number sequence generated by the LCG is of the form X 0, X 1, X 2..., where X 0 is the initial seed. A series of researches and experiments have shown that LCG sequences can be easily predicted and this raises some doubt about the security of LCG when it is used in any cryptosystem, thus it is not suitable for cryptographic applications. 4

5 Boyar [1982] and Bruce [1994] showed that if the whole sequence of LGC is published, the sequence can be predicted if the initial seed is given, even though other parameters (B, c or m) of LCG may be unknown. LCGs have been broken as specified in articles (See, Boyar [1989] and Reeds [1977]). Thus LCGs are not good cryptographic generator but very useful in non-cryptographic applications like simulation. An on-line poker game that uses random numbers generated by LCG to shuffle deck of cards will be flawed because the LCG sequences can be easily be predicted and this will lead to cheating in the game if the sequences generated by LCG are not made secured Predicting LCG Generator: Boyar [1982] used the Plumstead s algorithm to predict the LCG sequence using partial consecutive sequence of the generator, the number of the consecutive sequence used depends of the size of the modulus. In simulation of the Plumstead s algorithm by Pommerening (See, Pommerening [2003]), when the size of the modulus is of the order of (2 31 1), ten consecutive sequence of the generator are needed for the prediction of LCG sequence. There are also many other methods of predicting the sequence of LCG which depends on LCG parameters given. If the multiplier (B) is unknown but the partial sequence and the modulus are known then the LCG (2) can be predicted by calculating the modulus inverse as stated below; B=X 1 *X -1 0 mod m, Where X 1, X 0 are the consecutive variates of the LCG. The value of the multiplier B will then be substituted to predict the LCG sequence (2). If only the partial sequence of LCG generator is given, the modulus, multiplier and the seed of the LCG can be determined using Haldir method of cracking LCG generator (See, Haldir [2004]). Haldir cracking of LCG generator is based on George Marsaglia analysis of pseudorandom random number generators. Marsaglia pointed out that there is a flaw in pseudorandom generators as their uniform variants when viewed as points in a cube fall into hyper-plane, which contains points that are well distributed in a unit cube. The LCG sequence is used in forming a matrix, the determinant of the matrix will give an integer multiple of the modulus m. Then the gcd of a number of matrices gives the actual value of the matrix. Given the LCG as in (1) where c =0, if X 0, X 1, X 2... are observed from the sequence of LCG, then they can be used to form a matrix thus; The determinant D = X 1 X 3 X 2 X 2. Note that X 1 X 2 X 2 X 3 D mod m = 0(since D is an integer multiple of modulus m. Thus modulus m = GCD (D, for some number of matrices (about 4 or 5). If the LCG is as in (1) where there is a constant, the matrix formed is as given below using Haldir cracking of LCG generator method as shown below; 5

6 X 1 X 2 1 X 2 X 3 1 X 3 X 4 1 Given the LCG sequence of consecutive numbers; , , , , , , , Using Haldir method, the LCG sequence is used to form a 3 3 matrix of the form; The implementation of Haldir s method using the LCG sequence predicts the LCG sequence thus; m = , k= and seed = When we applied Haldir s method to our proposed algorithm(as in section 4), the transformed LCG sequence is not predicted, because the transformed LCG sequence are hidden by applying our proposed algorithm in section 4, making it computationally difficult for an attacker to infer the sequence of an transformed LCG sequence. Thus knowing the partial sequence or some of the parameters of the transformed LCG generator does not pose a threat any longer as our proposed algorithm is applied to the transformed LCG sequence. 2.2 Linear Feedback Shift Register (LFSR) Generator: LFSR is used in generating sequence of binary bits. It is a PRNG whose input bit is a linear function of two or more bits. It uses a short seed to produce sequence of bits which has a very long cycle. LFSR can be said to be a special type of Multiple Recursive Generator (MRG) but it differs from MRG in that it generates binary sequence of bits while MRG generates sequence of numbers. It is based on the linear recurrence which is of the form stated below (See, Tausworthe [1965]); X i = (α 1 X i α k X i k ) mod 2, (3) The linear recurrence of LFSR is based on Z 2 recurrence. The sequence of values produced by LFSR is determined by its current or previous state. The parameters of LFSR are k > 1 (the order of the recurrence), X i (bit generated), α (the multiplier) and X 0 the initial seed. The maximum period of the recurrence is 2 k 1, if and only if the characteristics polynomial is as given below; F(x) = 1 + α 1 x + α 2 x x k (4) 6

7 The characteristic polynomial (4) is a primitive polynomial in Z 2, which is a finite field with 2 elements (See, Lidl [1994]). The recurrence of (3) shows how each bit of the state evolves and also that each bit of the output is a linear combination in Z 2 of the given state (See, Tausworthe [1965]). LFSR like LCG is a fast generator; it produces linear sequence of bits. LFSR sequence like that of MRG can be predicted as stated in section Also LFSR bit-string sequence can be predicted using Berlekamp-Massey algorithm (See, Massey [1969] and Berlekamp [1968]). 2.3 Blum-Micali (BM) Generator: BM is a cryptographically secure generator presented by Blum and Micali [1982]. It is based on the difficulty in computing discrete logarithms [See, Stinson 2006], which is also based on the believe that the modular exponentiation modulo is prime and a one-way function. Thus it is based on the underlying discrete logarithm over a finite field and also on the assumption that solving discrete logarithm problems is a hard problem even when the exponent is small. The general form of BM is as given below; X i+1 = a X i mod m, i 0 (5) The output of the generator is 1 if X i < m/2, otherwise 0. The constant a is a primitive root in the finite field. This generator is secure if the modulus m is very large (1024-bit modulus ) thus it is computationally difficult to compute the discrete logarithms mod m. BM is not suitable for cryptographic applications even though it is secure, because the generation of the output sequence is very slow. 2.4 Blum Blum Shub(BBS) Generator: Blum, Blum and Shub [1986] invented the BBS pseudo-random number generator. BBS is based on the hardness of quadratic residues and inter factorization over modulus field ( See, Stinson [2006], Raja and Hole [2007] ). It is a simple and secure cryptographic generator. BBS is generally of the form; X i+1 = (X i ) 2 mod m, i 1 (6) Z i =X i mod 2 (7) Z i is the output of the generator. 7

8 The modulus m of BBS is the blum integer. The relationship between the modulus m and the two large prime integers p and q is given below. m=p q and p q 3mod m. The security of this generator rests on the ability of the cryptanalyst to factor m. Also only one bit of the sequence is generated at a time instead of the whole number (See, Boyar [1989]), this makes the generator very slow in generating its sequences. Also it cannot be used as a strong cryptographic generator because it has been shown that in the Blum protocol of BBS, the modulo m can be factored during key exchanges (See, Hastad and Shamir [1985]). 2.5 RSA Generator: RSA generator is based on the assumed security of RSA cryptosystem proposed by Rivest, Shamir, and Adleman[1978]. It is based on the hardness of integer factorization of the modulus number (See, Stinson [2006]). RSA forms a sequence of numbers in which each element in the sequence is an RSA encryption of the previous element. The least bit of the element forms the bit-string. The general form of RSA is as stated below; X i+1 = X i e mod m, i 1 (8) Z i is the output of the generator. Z i = X i mod 2 (9) The modulus m is a product of two large prime numbers p and q (512-bit primes), e is chosen so that gcd(e,φ(m)) = 1 (10) where m and e are public key while p and q are the secret keys. The security of RSA is based on finding the factors of m, If m is large enough(1024-bit modulus ) it will be difficult to factor it, RSA is a very slow generator, as only one bit of the sequence is generated at a time instead of the whole number. 3 Recent Advances in Random Number Generation The classical generators like BBS, BM, RSA, LCG and LFSR described above are not good candidates for security applications. While BBS, BM and RSA are secure, they are slow in generating their bit sequences yet they are being used in some security applications as they are readily available. LCG and LFSR are not secure but they are fast in generating their sequences and also easy to implement. Cryptographically secure generators are supposed to be fast in generating its sequences and also its bit sequence is supposed to be difficult to predict 8

9 in computational time. In the following section we will review the recent advances in random number generation and its suitability for cryptographic purposes. 3.1 Multiple Recursive Generators (MRGs) MRG is one the most extensively studied and most widely used PRNG which is based on the k-th order linear recurrence. The next value of MRG is computed recursively based on its previous values (See, Lehmer [1951]). The basic equation of MRG is thus stated below; X i = (α 1 X i α k X i k ) mod m, i k (11) The starting values are (X 0, X 1, X 2... X k 1 ), which are not all zero; m is the modulus which is a large prime number and X i can be transformed using U i = X i /m. In order not to obtain 0 or 1, (See, Deng and Xu [2003]) transformed U i = (X i +0.5)/m. The parameters of MRG are X i (generated sequence), α k (the multiplier), m(the modulus)and the order k. The maximum period of an MRG of an order k is m k 1, which is obtained if the characteristic polynomial is as given below; f(x) = x k α 1 x k 1 α k, (12) is a primitive polynomial and the modulus is prime. MRG is an improvement of LCG as it has good empirical performance, long periods and higher dimensional uniformity when compared to LCG. MRG reduces to LCG when its order k=1. When the order k of MRG is large, it becomes less efficient as it needs several multiplications compared to LCG which needs only one multiplication. To improve the efficiency of MRG many authors and researchers proposed improvements to it. Deng and Lin [2000] proposed FMRG which needs only one multiplication like LCG, thus in addition to features inherent in MRGs, FMRG is very fast, making it as efficient as LCG. Deng and Xu [2003] and Deng [2005] improved the performance of FMRG by proposing a system of DX generators which are fast, portable and efficient with maximal period compared with FMRG. They fixed the coefficient of the non-zero multipliers to be equal. The DX (DX-k-s(s =1 to 4)) generators by Deng and Xu [2003] are as stated below: 1. DX-k-1 [FMRG] (α 1 = 1, αk = B). X i = X i 1 + BX i k mod m, i k. (13) 2. DX-k-2 (α 1 = α k = B). X i = B (X i 1 + X i k ) mod m, i k. (14) 3. DX-k-3 (α 1 = α k/2 = α k = B). X i = B (X i 1 + X i k/2 + X i k ) mod m, i k. (15) 9

10 4. DX-k-4 (α 1 = α k/3 = α 2k/3 = α k = B). X i = B (X i 1 + X i k/3 + X i 2k/3 + X i k ) mod m, i k. (16) Predicting MRG Generator: The characteristics equation of MRG as defined in (12) has been determined by the first 2k terms of the sequence using a system of k equations (See, Lidl and Niederreiter [1994]). MRG sequence with the modulus and the partial sequence known can also be predicted, when the system of linear equations which can be formed using the recurrence of (11) is solved (See, Stinson [2006]) as shown below; α 1 X 1 + α 2 X α k X k = X k+1 mod m α 1 X 2 + α 2 X α k X k+1 = X k+2 mod m... α 1 X k + α 2 X k α k X 2k 1 = X 2k mod m These systems of linear equations can be re-written in matrix format as X k+1 X k+2 = X 2k X 1 X 2 X k α 1 α 2 X 2 X 3 X k+1.. X k X k+1 X 2k 1 α k The above equation can also be re-written as X (column), α (column) and M (matrix) as shown below, X = M* α (mod m). (17) This gives rise to k equations in k unknowns. If the matrix M (k k) in (17) has an inverse (mod m), then the solution to (17) can be obtained thus; α= M 1 * X (mod m). (18) The values of the multipliers (α 1, α 2,, α k ) can then be obtained by solving (18). Hence this will lead to the prediction of MRG sequence of (11), given the modulus m. If the modulus of MRG is not known but the partial sequence (X k+1,x k+2,x k+3,...,x 2k ) (at least 2k terms) for k-th order MRG is given, the sequence of the MRG can be predicted by forming a matrix of (k + 1) rows using consecutive terms of the sequence as done in the case of LCG. The determinant D of the matrix can then be calculated 10

11 D calculated is an integer multiple of the modulus m, thus D (mod m) =0. The actual modulus is calculated thus m = gcd (D, for a number of matrices (about 4-5)). The sequence of the MRG is then used to form a matrix equation; the modulus is substituted and used in solving the equation of (18) to calculate other parameters of the MRG. Given the following MRG sequences; , , , , , , with initial seeds of X 0 = , X 1 = , X 2 = and modulus m = , of k-th order =3, we used (17) and (18) to obtain the parameters of the MRG and hence predict its sequence as shown below; = α α α 3 The solution to the above matrix equation in modulus m (we developed a c-code using NTL (Number Theory Library) packages to solve the matrix equation) gives the parameters (multipliers) of the MRG, the solution is as stated below; as (α 1, α 2, α 3 ) = (16807, , ). The MRG sequence can be predicted by substituting the parameters obtained in (11), which will give the matrix equation X i = (16807X i X i X i 3 ) mod , i 3 (19) where X 0 = , X 1 = , X 2 = Using (19), we predicted the sequence of the MRG. When this method of obtaining the parameters of MRG is applied to our proposed algorithm (section 4) for the MRG, the parameters of the MRG was not obtained because our proposed algorithm hides the MRG sequence making it difficult for an attacker to infer or predict the sequence. Thus knowing the partial sequence or any of the parameters of the MRG does not pose a threat any longer when our proposed algorithm is applied. 4 Algorithm for secure and efficient pseudo-random number generator In order to make LCGs and MRGs and other linear PRNG strong cryptographic generators. We propose an algorithm that will transform the linear sequence generated by the PRNGs. The transformation (20) hides the generated bits sequence, breaks the linear structure of the sequences and then perform a bitwise exclusive OR between the original bits and the transformed bits 11

12 The output of our algorithm gives a bit sequence which will be practically impossible for an attacker to infer in computational time. Our algorithm is stated below; Y i = X i T (Xi+1 ). (20) In transforming the generated bits, we first truncate the bit performing a binary shift operation as shown below; STEP 1: A transformation is performed on the sequence (X i ) X i = (b 1, b 2... b n ) mod 2 (21) The transformation produces T (X i+1 ) given below; T (X i+1 ) = (b n, b n 1... b 2, b 1 ) mod 2. (22) STEP 2: A bitwise exclusive-or operation is then performed between the transformed and the original generated sequences as shown below; Y i = X i T (X i+1 ), (23) where denotes exclusive OR operation between the transformed sequence and the original generated sequence. The exclusive OR operation is used in producing a secure cryptosystem as explained in the next subsection. The final output of our algorithm (23) gives a cryptographically strong pseudorandom sequence which is computationally difficult to infer or predict. The transformed sequence hides the bits for each of the generated output sequence and breaks its linear structure making it impossible for the cryptanalyst to infer or predict the linear sequence or solve the characteristics equation of the MRGs by a system of k equations. Our algorithm not only hides the originally generated bits but it performs exclusive OR operation between the transformed bits and original bits. The exclusive OR operation is necessary to ensure that the final output sequence is computationally difficult to infer. 4.1 Simulation of the Proposed Algorithm: We applied our algorithm as stated in (23) to equations (2), (13), (14), (15) and (16). We implemented our algorithm using c-code supplements, various parameters of both LCG and MRGs were used. The algorithm is based on a 32-bit binary sequence. Our algorithm produces a secure generator that is very fast and computationally difficult to infer or predict, this is evidence by the following features; 12

13 Our algorithm generates its bits sequence in polynomial computable time; the generation of the bits is also very fast. We used linear sequences (LCGs, MRGs) by Deng [2005, 2008] that passed standard statistical tests, thus both the input and output bit-strings of the algorithm are well distributed. The algorithm uses initial seed of short sequences and generates output long sequences bit-strings that are well distributed. Our algorithm hides the entire bits of the bit-string generated by linear generators, making it computationally difficult for an attacker to infer or predict the bit string of the generator. Our Algorithm hides the bits generated by the linear generators using the following techniques; Our algorithm transforms the bit-string sequence by reversing the order of the bits of the bit-string after truncating its lower bits before performing a Bitwise Exclusive-OR operation on the bits. The reversal of the bit-string sequence by our algorithm breaks the linear structure of the linear sequences producing a non-linear sequence. Also non-linear sequence is more secure when compared with linear structure as evidenced by BBS, BM and RSA generators The Bitwise Exclusive-OR between the transformed bit-string and the original bit-string by our algorithm is used to toggle the positions of bits in the original bit-string with the transformed bit-string making it computationally difficult for the attacker to predict correctly the position of the bits in the original bit-string. The Bitwise Exclusive-OR between the transformed bit-string and original bit-string is used to produce a cipher bit-sting. Thus when an attacker attempts to predict the bit-string he will only succeed in getting the cipher bit and not the original bit. This makes the bit-string produced by our algorithm to be computationally difficult to predict The Bitwise Exclusive-OR operation introduces a piling-up lemma (See, Lemma 3.1 of Stinson [2006, page 81]), which ensures that the binary variables are independent, that is the state of one has no effect on the state of any of the others which also ensures equi-distribution among the binary bits. Thus it is difficult for an attacker to predict the transformed even if some part of the sequence is revealed. Thus our algorithm produces a strong generator by transforming the linear sequences produced by LCG and MRGs into unpredictable sequence of bits. 13

14 4.2 Security of the Proposed Algorithm: The figures below shows that the sequence generated by linear generators is linear in structure (figure 1) while our transformed sequence is not linear (figure 2). We used LCG (B, m) to denote LCG (2) with multiplier B and prime modulus m. Thus we used LCG (B=3, m=127) to show that LCG sequence is linear (figure1), while the transformed LCG (B=3, m=127) is not linear. Figure 2 shows that our algorithm breaks the linear structure of the linear generators sequences, thus making them more difficult to infer or predict. The linear structure of the linear sequences is broken when our algorithm is applied by reversing the order of the bits, shifting the bits by one position to the right, and performing exclusive-or operation between the original bit sequence and the transformed bit sequence. Also the same result in figure 1 and figure 2 will be obtained if MRGs and MRG transformed by our algorithm is used. The security property of our proposed algorithm is based on the reversal of the bits sequence and the bitwise exclusive-or operation between the original bit sequence and the reversed bit sequence. Our proposed algorithm has transformed the linear sequence of LCG and MRG into non-linear sequence. Thus a hacker can obtain information about the parameters of LCG and MRG generators as stated above(for LCG generator) and given in the Table 1(for MRG generator)and attempt to used it to break our proposed algorithm but our algorithm hides the entire sequence generated by the linear generators making it difficult for him to crack the algorithm, hence knowing some of the partial sequence or the parameters of the linear generators LCG(B, c and m) and MRG(K, α k, and m) will no longer pose a security threat to the generators, as they cannot be used to solve for or predict the sequence of the generators. This makes our algorithm difficult to infer by attackers. Also if the hacker has information about the algorithm we used in transforming the generator sequences, it will be difficult for him to reverse (invert) the sequences back to linear sequence. Thus the transformed sequence now behaves like a non-linear sequence, which is difficult to infer or break. 4.3 Recommended Parameters for Our Proposed Generator: The modulus of the generators (LCG and MRG) transformed by our proposed algorithm and the one we have been using for our experiments is rather too small to be used for practical purposes. Park and Miller [1988] published minimal standard for LCG parameters. The minimal standards are large prime numbers of modulus m =2 31 1, B=16807 and c (constant term) =0 for 32-bit CPUs. We recommend this minimal standard for LCG parameters when our proposed algorithm is applied. Table1 below shows some of the parameters of DX generators by Deng [2008] determined by efficient search algorithm. We recommend the parameters in table 1 for our proposed algorithm used in transforming the sequence of MRG (DX) generators. The parameters in table 1 are used in producing efficient and portable multiple recursive generators of large order with good empirical performance and a period of approximately (See, Deng [2008]). 14

15 Matthew N. Anyanwu, Lih-Yuan Deng, and Dipankar Dasgupta Table 1: List of k, m and α < 2 30 for DX-k-s generators k m s=1 s=2 s=3 s= Comparison between Classical Generators and Transformed Generators As stated in proceeding sections classical generators, that are fast in generating their output sequences like LCGs are not cryptographically strong since their sequences can be predicted. Also classical generators that are secure are not suitable for cryptographic applications as they are very slow in generating their output sequences since the generators produces one bit at a time rather than the entire sequence at each step of the generation (See, Boyar [1989]) but they are still been used in security applications they are readily available. Classical generators like LCG can be easily predicted if the previous elements of the sequence and the initial value are given, without knowing the modulus and the multiplier (See, Hugo [1999]). LCG can also be predicted if the modulus and the previous sequence is given even though the multiplier and the initial seed are not known by using the inverse of the modulus (See, Frieze and Langarias [1984]). MRGs, FMRGs including DX generators can be predicted if the characteristics polynomial equation can be solved using a system of k equations (See, Lidl and Niederreiter 15

16 [1994]). The BBS, BM and RSA generators are secure but they are not very fast in generating their bits sequence, the output sequence is generated one bit at a time. Most classical generators are linear generators in that the structure of the generated sequences is too regular and have a coarse lattice structure (See, Takashi et al [1996]). But the transformed sequence by our algorithm is fast, efficient, non-linear and strong, also difficult to predict or infer. 6 Conclusion Experimental results and tests have shown that classical generators like LCGs that generate pseudorandom linear sequences are not suitable for cryptographic purposes, even though it is simple, efficient and easy to generate. Other classical generators like BBS, RSA, and BM etc that are thought to be secure are equally not good enough for cryptographic purposes as they are slow in generating the next random bit sequence. Also the recent advances in random number generation (MRGs and FMRGs) are fast and efficient in generating linear sequences with long periods and good empirical performance, but still they are not cryptographically strong as the linear system can be predicated using a system of unique k equations. Our proposed algorithm produces a strong pseudorandom sequence that is suitable for cryptographic purposes and difficult to predict/infer by transforming the linear sequences and breaking its linear structure. The transformation hides the linear bits of the generated linear sequence preventing the attacker from accessing the generated output sequence, even with the knowledge of the partial sequence, parameters of the generators and the algorithm used in transforming the generator sequence. Thus knowing the parameters and partial sequence of the generators does not pose any threat any longer as the prediction of the generator sequence will no longer be an easy one. Also the knowledge of the transformation algorithm will not be of much use to the attacker as he will find it difficult to reverse (invert) the transformed sequence back to linear sequence. The bits sequence generated by our algorithm has features described in section 4.2, which makes the output sequence to be fast, strong and also difficult to predict or infer.

17 16 Matthew N. Anyanwu, Lih-Yuan Deng and Dipankar Dasgupta References: 1. Alexi, W., Chor, B. Z.,Goldreich, O. and Schnorr, C.P. (1988). RSA and Rabin Functions: Certain Parts Are as Hard as the Whole Proceedings of the 25th IEEE Symposium on the Foundations of Computer Science Berlekamp, E.R Algebraic coding theory McGraw-Hill, New York, (1968). 3. Blum, M., and Micali, S. (1982). How to generate cryptographically strong sequences of pseudo-random bits.in Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science. IEEE, New York. pp l Blum, L., Blum, M., and Shub, M. (1983). A simple secure pseudo-random number generator. In Advances in Cryptography: Proceedings of CRYPTO 82. Plenum Press, New York, Blum, L., Blum, M., and Shub, M. (1986). A simple unpredictable pseudo-random number generator. S IAM Journal on Computing, Volume 15, Issue 2, pp ISSN: Boyar, J. (1982). Inferring sequences generated by a linear congruence. Proceedings of the 23rd Annual IEEE Symposium on the Foundations of Computer Science pages Boyar, J. (1989). Inferring sequences produced by pseudo-random number generators. Journal of the Association for Computing Machinery 36, Bruce, S. (1994). Applied Cryptography: Protocols, Algorithms and Source Code in C John-Willey and Sons, New York, ISBN: Deng, L. Y., and Lin, D. K. J. (2000). Random number generation for the new century. American Statistician 54, Deng, L. Y. and Xu, H. Q. (2003). A System of High-dimensional, Efficient, Long-cycle and Portable Uniform Random Number Generators, ACM Transactions on Modeling and Computer Simulation, Vol. 13, No. 4, pages Deng, L. Y. (2004). Generalized Mersenne prime number and its application to random number generation, in Monte Carlo and Quasi-Monte Carlo Methods 2002 (H. Niederreiter, ed.), Springer-Verlag, Deng, L. Y. (2005). Efficient and Portable Multiple Recursive Generators of Large Order, ACM Transactions on Modeling and Computer Simulation(TOMACS), Volume 15, Issue 1 PP ISSN: Deng, L. Y. (2008). Issues on Computer Search for a Large Order Multiple Recursive Generators, in Monte Carlo and Quasi-Monte Carlo and Quasi-Monte Cralo Methods 2006(S. Heinrich, A. Keller and H. Niederreiter, ed.) Springer-Verlag,

18 14. Frieze, A.M., Kannan, R.and Lagarias, J.C. (1984). Linear Congruential Generators do not Produce Random Sequences. 25th Annual Symposium on Foundations of Computer Science, pp Hastad, J. and Shamir, A. (1985). The cryptographic security of truncated linearly related variables. In Proceedings of the 17th ACM Symposium on Theory of Computing (Providence, R.I., May 6-8). ACM, New York Haldir, R. (2004). How to crack a Linear Congruential Generator Hugo, K. (1999). How to Predict Congruential Generators. In Proceedings on Advances in cryptology(santa Barbara California USA) ISBN: Lehmer, D. H. (1951). Mathematical methods in large-scale computing units. Proceedings of the Second Symposium on Large Scale Digital Computing Machinery, Harvard University Press, Cambridge, MA, L Ecuyer, P. (1997). Uniform Random Number Generation: A Review. Proceedings of the 29th conference on Winter Simulation conference, Atlanta Gergia USA L Ecuyer, P., Blouin, F., and Couture R. (1993). A search for good multiple recursive linear random number generators. ACM Transactions on Modeling and Computer Simulation, 3, Lidl, R., and Niederreiter, H. (1994). Introduction to Finite Fields and Their Applications. Revised Edition. Cambridge University Press, Cambridge, MA. 22. Marsaglia, G. (1968). Random Numbers fall mainly in the planes. Proceedings of the National Academy of sciences Vol. IT-15, January Massey, J.L. (1969). Shift-register synthesis and BCH decoding. IEEE Trans. on Inform. Theory, 61, Neal R. W. (1994). The Laws of Cryptography, online book Park, K. and Miller, K Random Numbers Generators: Good Ones are Hard to Find. Communication of the ACM vol. 31.No.10, pp Pommerening, K. (2003). Prediction of linear congruential generators http: // mainz.de/pommeren/ 27. Raja,G and Hole, P.H. (2007). Use of the Shrinking Generator in Lightweight Cryptography for RFID Rivest, R., Shamir, A., and Adleman, L.(1978). A method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, 21,

19 29. Reeds, J.A (1977). Cracking Random Number Generator. Cryptologia, v.1, n. 1, Shamir, A. (1983). On the Generation of Crytographically Strong. ACM Transaction on Computer Systems (TOCS), pp , Volume1 Issue1. ISSN: Stinson, D. (2006). Cryptography: Theory and Pratice 3rd edition CRC Press, Boca Raton, Florida, ISBN: Takashi, K., Li-Ming, W. and Niro, Y. (1996). On a nonlinear congruential pseudorandom number generator Mathematics of Computation, Volume 65, Issue 213, , ISSN: Tausworthe, R.C. (1965). Random numbers generated by linear recurrence modulo two Mathematics of Computation, 19: